(Bloomberg) — More than 2,100 computers worldwide are managed by VMware Inc. They were affected over the weekend, researchers and cyber security officials said. The created server software was infected with ransomware that used a two-year gap
Most read by Bloomberg.
The infected machines may have targeted more than 66,000 Internet-connected computers, said Patrice Offret, founder and CEO of a French cybersecurity firm that scans the Internet for fingerprints of attackers' code. Wild cyber security agencies in France, Italy, Canada and other countries issued messages condemning the attack and urging organizations using vulnerable software to avoid the attack.
"What's surprising is how quickly they attack machines," Offret wrote in an email.
Hackers began infecting more than 2,000 vulnerable computers within 24 hours, Offre said. It is not yet known which victims were raped during the murder.
“The timing was smart. Sysadmins and security teams don't work much on weekends, he said. The authors probably wanted to finish their dirty work on the weekend to get a high score.
They are the latest example of hackers exploiting old vulnerabilities in widely used software. In this case, they used the VMware ESXi "hypervisor" code for servers to extort money from organizations that have not implemented the necessary maintenance for a long time. In 2021, the company released software for this problem.
Security experts say that ever since a software company released a patch revealing a security flaw in one of its products, hackers have been scouring public data to determine whether an attack is imminent. It's a decades-long race between hackers trying to plug holes in corporate technology and security professionals trying to fix problems. Patch Tuesday, Microsoft Corp.'s monthly review of corporate technology flaws, often creates a rush to fix those flaws.
To learn more:
"The target vulnerability is two years old and should have been fixed, but it is clear that many servers are still unprotected," Stefano Zaneiro, professor of cyber security at the Politecnico di Milano, said in an interview.
According to Alexander Leslie, an analyst at Record Futures Inc., only one of the 426 crypto wallets affected by the hack showed a balance of around $11,700, a sign of the limited impact of the weekend hack.
"At this point, the scale of destruction and failure may outweigh any material gain for the attacker," Leslie tweeted.
"CESA is working with government and private sector partners to assess the impact of reported incidents and provide necessary assistance," said a spokesperson for the US Cybersecurity and Infrastructure Security Agency.
It is unclear whether the latest campaign is linked to last week's ransomware attack on ION Trading UK, security experts said. The breach was caused by the notorious ransomware group Lockbit, which the US Department of Justice says has been active since January 2020, hacking up to 1,000 victims worldwide and extorting at least $100 million from these organizations.
Lockbit, the group behind last week's attack on ION Trading UK that hacked derivatives trading, says it has accepted the ransom and opened its files. The company described the attack as "involving VMWare servers," but it was unclear whether the incident was related to a two-year security campaign. ION declined to comment on whether a ransom had been paid.
Contributed by Andrew Martin, Jan Fischer, Ryan Gallagher and Tommaso Ebhardt.
(Updated with details).
It is widely read by Bloomberg Businessweek.
© 2023 Bloomberg LP